RHEL 8.9: Long nftables command runtime with large ruleset and IP sets

Solution Verified - Updated -

Issue

  • Long nftables command runtime with large ruleset and IP sets
  • Our Illumio container software adds ~134k IP rules to nftables, consisting of several IP sets with 40k+ IPs each. In RHEL 8.8 and earlier, the runtime of the nft command was ~9 seconds. Since RHEL 8.9, the runtime has grown to ~19 minutes.

Environment

  • Red Hat Enterprise Linux 8.9
  • nftables-1.0.4-3.el8_9
  • Large nftables rule set filtering many IP addresses, use of large IP sets

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content